Foxit's updated PDF reader still open to attack

Malware embedded in PDFs still a danger, says researcher

Reacting to a demonstration that showed how attackers could force-feed malware to users without exploiting an actual vulnerability, Foxit Software patched its PDF viewer last week. But the Belgium researcher who showed how hackers could run executable code on a Windows PC from a malformed PDF said today that Foxit's fix didn't protect users from his attack tactics.

The April 1 update to Foxit Reader, a popular alternative to Adobe's own Reader, adds a warning that pops up when a PDF tries to launch an executable, a function that's permitted by the PDF specification. The change makes Foxit Reader behave similarly to Adobe Reader, which already sports such a warning.

"Foxit adds prompts to all pop-ups within PDFs," said Christina Wu of Foxit in an email reply to questions. "For example, if there is a .txt or .exe file [that] is going to open within a PDF, the old version of Reader will launch the file by calling the associated program from your system, without any inquiry. [The update] will detect it and launch a prompt to ask you if you want to execute it or not."

Didier Stevens, the researcher who last week demonstrated a multi-stage attack using the /Launch function, said that his proof-of-concept code - which he has not released to the public - still works when pitted against the updated Foxit Reader.

"The interesting thing about this fix is that it breaks my Foxit [proof-of-concept, or PoC], but ... the Adobe PoC works for Foxit now," said Stevens in an entry on his blog.

Previously, Stevens was forced to come up with a separate workaround to successfully attack Foxit with a malformed PDF.

Stevens' technique doesn't require an underlying vulnerability in either Adobe Reader or Foxit Reader; all attackers need to do is dupe users into opening a malicious PDF. And last week, Stevens said that although Adobe Reader displays a warning when an executable inside a PDF file is launched, he had found a way to partially modify Adobe's warning to encourage a potential victim to allow the launch action.

While that kind of social engineering-based attack is nothing new, until now hackers needed an exploit of an unpatched software vulnerability to pull off a successful attack delivered via PDFs. In other words, a Windows PC that has a fully-patched, up-to-date copy of Adobe Reader or Foxit Reader can be exploited via rogue PDFs using Stevens' strategy.

Didier did not reply today to a request seeking further comment about the Foxit update, or whether he was able to change that program's warning message, as he has been able to do to Adobe's.

Today, Stevens also confirmed that Adobe Reader users can defend their PCs by disabling the /Launch function, a crucial component of his attack. To do so, users must clear the check from the box marked "Allow opening of non-PDF file attachments with external applications" in the Trust Manager section of Reader's preferences.

Foxit does not have a similar setting.

Last week, Adobe acknowledged seeing Stevens' no-bug-needed proof-of-concept demonstration, but it did not commit to making any change in its PDF software, saying only that it was "always listening to and evaluating ways to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks."